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- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
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DETAILED ACTION 
Claim Rejections - 35 USC §112 

1 . The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter, which the applicant regards as his invention. 

2. The term "substantially minimized" in claim 31 is a relative term, which renders 
the claim indefinite. The term "substantially minimized" is not defined by the claim, the 
specification does not provide a standard for ascertaining the requisite degree, and one 
of ordinary skill in the art would not be reasonably apprised of the scope of the 
invention. The degree to which a number of displayed events is minimized needs to be 
recited in the claim. 



Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e)the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

4. Claims 18-22 and 40, are rejected under 35 U.S.C. 102(e) as being anticipated 
by Trcka (U.S. Patent No. 6.453.345 B2). 

5. Referring to the instant claims Trcka discloses a network security and 



surveillance system (see abstract and Fig. 3). Trcka teaches that a network security 
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and surveillance system passively monitors and records the traffic present on a local 
area network, wide area network, or other type of computer network, without interrupting 
or otherwise interfering with the flow of the traffic. Raw data packets present on the 
network are continuously routed (with optional packet encryption) to a high-capacity 
data recorder to generate low-level recordings for archival purposes. The.raw data 
packets are also optionally routed to one or more cyclic data recorders to generate 
temporary records that are used to automatically monitor the traffic in near-real-time. A 
set of analysis applications and other software routines allows authorized users to 
interactively analyze the low-level traffic recordings to evaluate network attacks, internal 
and external security breaches, network problems, and other types of network events 
(see abstract and Fig. 3). 

6. Referring to the independent claims 18 and 22, the limitation "an event collector 
linked to the plurality of data sources" is met by archival data processing module (90 in 
Fig. 3). The limitation "a fusion engine linked to the event collector" is met by 
surveilance data processing module (94). The limitation "identifying relationships 
between two or more raw events generated by the data sources" is met by separating 
packets into "good" and "bad" ones. The limitation "a console linked to the event 
collector for displaying any output generated by the fusion engine" is met by GUI (104 in 
Fig. 3). Referring to claim 22, the limitation "a raw event classification database linked 
to the classifier" is met by media 80 (in Fig. 3). The limitation "a context database linked 
to the context based risk-adjustment processor" is met by databases 82 and 82 linked to 
processing module 90 (see Fig. 3). The limitation "a rule data base, fro determining if 
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relationships exist between two or more events" is met by traffic analyses databases (96 
in Fig.3). 

7. Referring to claims 1 9 - 21 , it is inherent to have detector comprising a chip and 
running in a kernel mode and fusion engine comprising software running on the 
computer. 

Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

9. Claims 1-17, 23- 39 and 41 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Trcka (U.S. Patent No. 6.453.345 B2) in view of Mikurak (U.S. 
Patent No. 6.606.744 B1). 

10. Referring to the instant claims Trcka discloses a network security and 
surveillance system (see abstract and Fig. 3). Trcka teaches that a network security 
and surveillance system passively monitors and records the traffic present on a local 
area network, wide area network, or other type of computer network, without interrupting 
or otherwise interfering with the flow of the traffic. Raw data packets present on the 
network are continuously routed (with optional packet encryption) to a high-capacity 
data recorder to generate low-level recordings for archival purposes. The raw data 
packets are also optionally routed to one or more cyclic data recorders to generate 
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temporary records that are used to automatically monitor the traffic in near-real-time. A 
set of analysis applications and other software routines allows authorized users to 
interactively analyze the low-level traffic recordings to evaluate network attacks, internal 
and external security breaches, network problems, and other types of network events 
(see abstract). 

1 1 . Referring to the independent claims 1,14, 31 f the limitation "receiving raw events 
from one or more data sources" is met by raw data packets present on the network (see 
abstract and Fig. 2). The limitation "classifying the raw events; storing the raw events" 
is met by filtering out packets based on pre-specified criteria (see 40 in Fig.1 ) and 
recording processed packet stream on a storage medium (see 50 in Fig. 1). The 
limitation "assigning a ranking to each raw event" is met by prerspecified criteria for 
filtering (see Fig. 1 block 40). The limitation "identifying relationships between two or 
more raw events" is met by filtering traffic into "good" and "bad" packets as shown in 
Fig. 3. The analyses of raw events are performed in processing module 98 (Fig. 3). 
Trcka shows displaying the event messages to the console (see GUI 104). 

Trcka, however, does not explicitly teach generating one or more correlation event 
messages. 

12. Referring to the instant claims, Mikurak discloses collaborative installation 
management in a network-based supply chain environment (see abstract and Fig.2). 
Mikurak teaches that in a correlation step 4506, the event gathered in step 4504 is 
correlated with a second event obtained from a packet-switched network element. As 
with circuit-switched network elements, packet-switched event gathering and 
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interpretation is typically performed by custom developed software interfaces, which 
communicate directly with the network elements, process raw network events, and sort 
the events by context prior to storing them. The correlation is provided by a rules based 
inference engine. After the events are correlated, a fault message is created in a fault 
message step 4508 (see Fig. 4). The limitation "correlation event message" is met by a . 
fault message. 

Therefore, at the time, the invention was made, it would have been obvious to one of 
ordinary skill in the art to modify the network security and surveillance system of Trcka 
by filtering the raw events and generating the correlation event message as taught in 
Mikurak. One of ordinary skill in the art would have been motivated to modify the 
network security and surveillance system by filtering the raw events and generating the 
correlation event message as taught in Mikurak for creating a comprehensive library of 
all message types generated by the hybrid system and translating the correlated events 
into standard object format (see Mikurak). 

13. Referring to the independent claim 14, the limitation "creating raw event storage 
areas based upon information received from a raw even classification database ans 
storing each event in an event storage area based upon an event type parameter" is 
met by storage areas 82 and 84 and the traffic analysis database 96 (see Fig.3 of 
Trcka). The limitation "comparing each raw event to the data contained in a context 
database" is met analysis applications running on the post-capture module coupled to 
traffic analysis database (see units 100, 98 and 96). 
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14. Referring to claims 31 and 35, the limitation "classifying the raw events" is met by 
separating raw data packets into "good" and "bad" ones (see Fig. 3). The limitation 
"displaying one or more ... messages on the console" is met by GUI (104 in Fig. 3). 

15. Referring to claims 3 and 33, Trcka teaches that raw events are received in real 
time through the network card (88). 

16. Referring to claims 5, 8 , 28 and 30, the limitation "comparing the event type 
parameter with the event type parameter of a list" is met by comparing parameters of 
captured raw data packet with the one ones stored in the traffic analysis data base (96). 

17. Referring to claim 6, the limitation "assigning additional parameters to each raw 
event" is met by assigning "good" or "bad" status to the packets (see Fig. 3, block 90). 

18. Referring to claims 7, 16, 26 and 29, Mikurak teaches sorting the events by 
context (i.e. text string) prior to storing them. 

19. Referring to claim 9, "associating each raw event with a rule which corresponds 
with a type parameter" is met by analysis applications (100). 

20. Referring to claim 10, it is well known in the art to store event data in RAM. One 
of ordinary skill in the art would have been motivated to store raw events in RAM for 
utilizing high speed of access to RAM. 

21 . Referring to claims 1 7 and 25, it is well known in the art to have database 
comprising tables representing different categories of data. One of ordinary skill in the 
art would have been motivated to create a classification tables according to categories 
of raw event foe effective analysis of data. 
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Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Grigory Gurshman whose telephone number is 
(571 )272-3803. The examiner can normally be reached on 9 AM-5:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on (571)272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 




Grigory Gurshman 

Examiner 
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